如何授予jnlp文件中从属库所有权限? [英] How to grant dependent lib in jnlp file all permissions?
问题描述
我对Java Web Start遇到了严重的问题,无法解决.情况如下:我有一个要使用Java WebStart部署的JavaFX应用程序,编写为Java8.直到最近,我仍使用HTTP与服务器进行通信,并且一切正常.我可以使用嵌入在浏览器中的Web Start或作为独立应用程序来部署该应用程序.
I have a serious problem with Java Web Start that I can't get my head around. The situation is the following: I have a JavaFX app, written Java8, that I want to deploy using Java WebStart. Until recently I used HTTP for communications with a server, and everthing worked fine. I could deploy the app using Web Start embedded in the browser or as a standalone app.
但是,我现在已将通信更改为使用WebSockets.为此,我目前正在使用tyrus实现.现在出现了问题:由于我已经添加了tyrus库,所以当tyrus尝试访问系统属性时,我总是会得到一个AccessControlException:
However I have now changed the communication to use WebSockets. For this I am currently using the tyrus implementation. And now comes the problem: Since I have added the tyrus lib, I always get an AccessControlException when tyrus tries to access a system property:
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "weblogic.websocket.client.max-aio-threads" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.security.AccessController.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.lang.SecurityManager.checkPermission(Unknown Source) ~[na:1.8.0_25]
at sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown Source) ~[na:na]
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) ~[na:1.8.0_25]
at java.lang.System.getProperty(Unknown Source) ~[na:1.8.0_25]
at org.glassfish.tyrus.container.jdk.client.JdkClientContainer.openClientSocket(JdkClientContainer.java:106) ~[na:na]
不过,我可以轻松地从我自己的任何类中准确访问此属性,例如如果我这样做
However I can easily access exactly this property from any of my own classes, e.g. if I do this
logger.info(System.setProperty(ClientManager.WLS_MAX_THREADS, "1"));
logger.info(System.getProperty(ClientManager.WLS_MAX_THREADS));
我得到了预期的结果,没有任何安全问题.
I get the expected result with no security problems.
当然,我已确保所有jar都经过完全签名,所有jar均在其Manifest.MF文件中具有Permissions: all-permissions标志,并且jnlp确实具有必需的<security><all-permissions /></security>标记.
Of course I have made sure that all jars are fully signed, all jars have the Permissions: all-permissions flag in their Manifest.MF files, and the jnlp does have the required <security><all-permissions /></security> tag.
除此之外,我还尝试了使用jetty websocket实现,但这给了我完全相同的问题.
Apart from this I also tried using the jetty websocket implementation, however this gave me exactly the same problems.
所以有人知道为什么tyrus代码无法访问与主代码相同的系统属性吗?
So does anybody have an idea why the tyrus code is not able to access the same system property as the main code?
推荐答案
好,谢谢您的帮助,我终于找到了答案. @Tom Hawtin的提示为我提供了正确的线索,我仍然需要将对webSocket.connectToClient()的调用包装在AccessController.doPrivileged()中,以获取相关代码中的全部权限.
Ok, thanks for the help, I finally found the answer. The hint by @Tom Hawtin gave me the right clue, I still need to wrap the call to webSocket.connectToClient() in AccessController.doPrivileged() to get full rights in the dependent code.
但是我仍然不完全理解为什么不信任使用Permissions: all-permissions签名的代码的原因,也许我应该阅读WebStart安全模型.
However I still don't fully understand why signed code with Permissions: all-permissions is not trusted, maybe I should read up on the WebStart security model.
好的,在玩了很多之后,发现了更多奇怪的错误之后,我发现了真正的问题:将WebSocket集成到应用程序中后,我大量使用了CompleableFuture.xxxAsync()方法.并且默认情况下,它们在公共ForkJoinPool上运行,如果存在安全管理器,则公共ForkJoinPool会在特殊线程(InnocuousForkJoinWorkerThread)上运行(使用jnpl很明显).而且这些用户没有任何权限,可以正确触发所有这些错误.
Ok, after playing around much more and finding more weird bugs I found the real problem: When I integrated the WebSockets into the application I made heavy use of the CompleableFuture.xxxAsync() methods. And by default those are running on the common ForkJoinPool, which in turn run on special threads (InnocuousForkJoinWorkerThread) if a security manager is present (as is obvious the case using jnpl). And those don't have any permissions whatsoever, which correctly triggered all those errors.
因此解决方案是对xxxAsync(xxx, executor)调用使用自定义的执行器.
So the solution is to use a custom Executor for the xxxAsync(xxx, executor) calls.
这篇关于如何授予jnlp文件中从属库所有权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
